[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Setup Questions
 Date:  Mon, 7 Nov 2005 21:07:52 -0500
On 11/6/05, Mark Wass <mark dot wass at market dash analyst dot com> wrote:
> mate can you elaborate on this a little more? Do you mean I can only specify
> firewall rules on outgoing traffic over the VPN from each site? or I can
> only specify rules for traffic entering m0n0wall on each site?
> Could you
> give me an explaination using the scenario of ONLY allowing http traffic
> between OPT2 on Site1 and OPT2 on Site2 over the VPN, based on my
> diagram?

Ok, on OPT2 on site 1 put in rules (above any allow rules that would
match first and hence skip the rest of the rules):

allow TCP source port any dst port 80 source IP dest
deny IP source IP dest IP

on site 2 OPT2 interface:
allow TCP source port any dst port 80 source IP dest IP

hope I got those subnets right, I don't have the entire original
message handy ( being OPT2 on site 2,
being OPT2 on site 1)

> There will be a server on the OPT2 subnet
> (Site1) that needs to connect to a remote site via an IPSEC VPN tunnel. Can
> I have m0n0wall create the tunnel to this remote site so that only this one
> server on OPT2 can access the remote site. The remote site is not a m0n0wall
> setup it's some sort of IPSEC compliant equipment (not sure exactly what it
> is yet).
> So I would need this tunnel, as well as the tunnel between LAN on
> Site1 and OPT2 on Site2, all happening at the same time, can this be
> done?

yes, you can do that, if the other side allows site to site IPsec
setups, and if the other site doesn't have a network that conflicts
with any of yours.  i.e. the remote network can't be,
or, etc. or any networks that comprise those subnets.

you can put in a rule on that OPT2 interface for that connection,
similar to how you put in the rules above.  But, this is where you run
into the IPsec filtering limitation.  You can control what you let out
to them, but you can't control what they let in to you.  And for
anything that comes in, the reply traffic will be let out by the state
table as with any stateful firewall.  So you have to trust that the
remote side isn't sending anything you're going to want/need to block.
 The safest way to set this up is with the "local subnet" on your side
being a /32 (single IP only).  That way they can still get to anything
and everything on that single IP, but at least it's only that one IP. 
(that should work, I can't say that I've tried it though)